This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
April 02, 2012 3:07pm
Subscribe [2]#1 / Apr 02, 2012 3:07pm
I’m hoping someone can shed light on this.
Our hosting company said that 54 instances of ‘index.php’ was running on our account. We’re in a shared environment and have 5 websites running - 3 are EE and 2 are CodeIgniter.
Is it common for multiple instances of the index.php to run?
TIA
Randy
#2 / Apr 03, 2012 7:57am
Anything?
#3 / Apr 03, 2012 12:49pm
Hello carvingCode,
Thank you for posting your question here on the ExpressionEngine forums.
Where is your hosting provider seeing this information? Is this in the process list?
I am not sure I know what “running index.php” means aside from listing the processes and seeing index.php as a system process?
If you can ask about that it would be helpful.
Cheers,
#4 / Apr 03, 2012 12:54pm
I assume it would be in the process list at the server. All I know is that they claim many multiple instances of the ‘index.php’ file from one of our domains was running and not quitting. Claimed we were exploited somehow. I compared the ‘index.php’ and ‘admin.php’ files on the server against fresh copies from the extract and they were identical, except for system folder name. So… I’m curious how this can happen.
#5 / Apr 03, 2012 1:47pm
Hi carvingCode,
Not sure if this is the correct answer but I think they see it as an exploit because everything in EE is passed through to index.php to display your pages. You won’t see this from your side if you are using .htaccess to remove the index.php from the URL. But if you put index.php back and look at your URL’s and the HTML source your EE site returns to your browser you’ll see a lot of references in there using index.php.
You should ask them to provide the location of where this exploited index.php file is running from so you can check it against your site structure. This will help determine if it’s the same file or not. If it’s the same file then I don’t think there is anything to worry about as long as the contents of the file are the same as what you have on your local machine or original EE system files.
I hope that helps.
Mike
#6 / Apr 03, 2012 2:01pm
Thanks, Mike. This was my understanding. My contention is that our site was being brute force attacked. The hosting co.‘s that we were being exploited. I said, “You mean you’re going to let someone from the outside continually hit a file on one of your client’s sites and not block it in your firewall?” I’m not a server guy, but that doesn’t make a lot of sense to me.
Odd…
#7 / Apr 03, 2012 2:33pm
It could be time for another hosting company?
#8 / Apr 03, 2012 2:49pm
Yep.. Already in process. 😊
#9 / Apr 04, 2012 4:03pm
Hey carvingCode,
Is there anything else that I can help with?
Cheers,